Two posts in two days, I'm not sure I can keep this pace up!

I came across the following article this morning and since it keeps up the theme of building architecture it makes a nice follow on to my previous post. While I agree that developers should have a good grasp of secure coding techniques, I think security is still seen as something of an infrastructure problem i.e. firewalls, ACLs, disk encryption etc rather than something that developers need to worry about. Technologies like web application firewalls do nothing to help dissuade developers of this. The only way to ensure that security is 'built in' to applications is to ensure that there is consultation at the design phase between the development team or architect and the security team or architect. Application design needs to be viewed more like the design of a military installation rather than a sky scraper. In the same way that security specialists lay out the security of the base the security guys should be laying out the security of the app and reviewing the developers implementation of the security design.

Yesterday, while attending a presentation at the VMware vForum event in Sydney, the presenter offered a view on architecture from 1st century Roman architect Vitruvius which struck a chord with me from a security perspective. Rather than wait for the slide deck to get emailed to me (no, I didn't think to write it down verbatim at the time) I visited the great oracle Wikipedia, et voila:

According to Vitruvius, a good building should satisfy the three principles of firmitas, utilitas, venustas, which translate roughly as –

Durability – it should stand up robustly and remain in good condition.
Utility – it should be useful and function well for the people using it
Beauty – it should delight people and raise their spirits.

According to Vitruvius, the architect should strive to fulfill each of these three attributes as well as possible.

While I think these concepts are pertinent to all aspects of IT architecture, be it application, infrastructure or enterprise architecture, this is a security blog.

Durability, well that's obvious enough, if your design doesn't stand up to the threats it will encounter throughout it's lifespan then it's not much of a security solution. Easier said than done I know, people have been trying to build secure systems for as long as there has been something to protect and, by and large attackers have found a way around these defences. That doesn't mean it's not a worthy quality to strive for in a solution however.

Something which is too often forgotten when developing security solutions is usability, security measures can be obstructive to the end user experience which ensures that people will either find a way around them or, where they have an option, not use the system at all. Balancing the utility of the system with security helps ensure that security is not seen as a burden and is included by default in systems rather than as an afterthought

Beauty... That doesn't seem to fit with security, your average security guy generally isn't the prettiest and no, this isn't referring to the subtle shading on your Visio diagram. For me, beauty in this context infers an elegance and simplicity of design. Too often designs are overly complex and, as a result, prone to errors or they are clunky, inelegant and not fit for purpose. Complexity creeps in to design for a number of reasons, from poor initial planning to integrating with legacy systems. While the architecture of IT systems is an inherently complex topic, beauty (simplicity and elegance) is an important aspect to keep in mind when developing your solution.

While it won't always be possible to achieve 100% success including all these aspects in the design, I do think they represent a worthy set of goals to keep in mind when deciding on which hue of pink would be the best background for your next Visio diagram.